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Abstract 

An undetected eavesdropping attack must produce count rate statistics that are 
indistinguishable from those that would arise in the absence of such an attack. In 
principle this constraint should force a reduction in the amount of information available 
to the eavesdropper. In this paper we illustrate, by considering a particular class of 
eavesdropping attacks, how the general analysis of this problem may proceed. 
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1 Introduction 



The analysis of the types of attacks an eavesdropper (Eve) can make on quantum key distri- 
bution protocols is the subject of intensive research |jl|, 0]. An important goal of this research 
is to find upper bounds on the amount of secret key information that may be compromised 
by the attack. In this paper we explore the consequences of the fact that Eve must conceal 
her attack from the sender (Alice) and the receiver (Bob) of the secret key material. The 
importance of unperturbed error statistics is well established in the literature. However 
other important signatures of Eve's activity, such as the effect on overall count rate and 
the incidence of multiple photon events at Bob's apparatus, have not yet received sufficient 
attention. In this paper we describe a specific class of attack and analyze the extent to which 
these constraints can reduce the amount of information available to an eavesdropper. 



2 Analysis 

Alice and Bob use a BB84 protocol augmented with error correction, authentication, and 
privacy amplification. We consider the special case of weak coherent pulses produced by 
attenuating the output of a pulsed laser. The number of photons in any given pulse is a 
Poison-distributed random variable: 

x{^^J) = e-^^, (1) 

where is the average number of photons per pulse. The quantum channel is characterized 
by a transmittivity a, and the quantum efficiency of Bob's detector is t]. The dark count rate 
of the detector will not be taken into account as it substantially complicates the analytical 
results without providing significant additional insight. Eve begins her attack by measuring 
the number of photons in the pulse. This destroys the coherence of the pulse, but does not 
affect the polarization, which encodes the information Alice and Bob intend to share. The 
rest of the attack then depends on the number of photons in the pulse. 

If there are 3 or more photons in the pulse. Eve makes a "direct" attack p| by making separate 
measurements of the polarizations of the photons. We denote by ze (l) the probability that 
she is successful in determining the polarization of the photons sent by Alice 0, ^. If she is 
successful, she arranges for an accomplice to inject a photon of the correct polarization state 
into the transmission channel near Bob's detector. This ensures that any qubit whose value 
she knows is among those that Bob actually receives. If the measurements do not determine 
the state, she does nothing, and Bob receives no photons for that pulse. By itself, this 
would result in a measurable change in the count statistics by which Bob could detect the 
eavesdropping. Eve compensates for this by blocking some of the pulses that contain only 1 
or 2 photons. Finally, Eve eavesdrops on the classical channel during sifting to discover which 
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of the pulses result in bits of sifted key material. She then uses her measured polarizations 
to determine this subset of Alice and Bob's shared key. 



If there are 2 photons in the pulse, Eve blocks the pulse with some probability pi,. Otherwise 
she makes an "indirect" attack in which she stores the state of one of the photons in a 
quantum memory until after the sifting phase. By eavesdropping on the sifting phase, she 
learns which basis to use to measure the stored photon, thus unambiguously determining 
the value of the bit shared by Alice and Bob. In it is shown that direct attacks are more 
effective than indirect attacks when the probability of a photon reaching Bob is below a 
certain threshold but that direct attacks are of no use when there are only 2 photons in the 
pulse Eve chooses to use direct attacks for the stronger pulses and indirect attacks for 
the 2-photon pulses. 

Finally, if there is 1 photon in the pulse. Eve blocks the pulse with probability pf,. If the pulse 
is not blocked, she lets a fraction 1—pm of the pulses pass through. For the remaining pulses, 
she picks a basis at random and measures the polarization in that basis. She then prepares 
a photon in the state she has measured and sends it to Bob. In this case, the photons for 
which she chose the wrong basis will increase the error rate seen by Alice and Bob. We 
assume that Eve has the technology required to compensate Alice and Bob's intrinsic error 
rate (this common assumption constitutes a compromise of transmission security [2]). She 
then adjusts the parameter pm so that the error rate observed by Alice and Bob is within 
the limits they expect. 

We wish to determine the average amount of information leaked to Eve using this particular 
attack. Consider first the information she obtains from the single-photon pulses. For Eve to 
obtain a bit of information, 1 photon must be in the initial pulse, it must not be blocked by 
Eve, it must be measured by Eve, it must reach Bob, it must be detected by his detector, 
and all parties must use compatible bases. If there are 2 photons in the initial pulse. Eve 
will obtain a bit of the sifted key if she does not block the pulse, if the photon she passes 
is received and detected by Bob, and if Alice and Bob use compatible bases. If there are 
3 or more photons. Eve's attack is successful if she successfully measures the state, if Bob 
detects the photon, and if Alice and Bob use compatible bases. The resulting expression for 
the information obtained by Eve is then (the superscript emphasizes the fact that we do not 
consider the effect of error correction) 



^partial 



(/^, 1) (1 - Pb) PniW + X (^, 2) (1 - pfc) r]a + Ze (/i) r] 



(2) 



where we denote by ze (/i) the average of ze il) over the photon number states / > 3. 



Recall that Eve must tune the parameters ph and pm so that the count rate and error rate 
measured by Bob are the same as they would have been with no eavesdropping. General 
expressions for the number of sifted bits per block and the number of errors per block may 
be found in [0. The number of sifted bits in the limit of vanishing dark count is 
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7TI 

n = —ip ivf^a, 1) , (3) 

where ifj {X, I) is the probabihty for having / or more photons in a coherent pulse with mean 
photon number X. We next find the number of sifted bits per block when Eve is making 
the attack described above: 



m 

n = — < 
2 



X 1) + X (At, 2) J (1 - pb) r]a + ze (/i) Vj ■ (4) 
We may now determine pb by requiring n = n, which gives 

Pfe = 1 - T -1 — • (5) 

1) + 2)J?7a 

The value pb thus obtained must be between and 1. This implies constraints on the region of 
parameter space in which the attack as described can be performed at all. The consequences 
of these constraints will be explored in detail in a subsequent paper P] . The principal effect 
is to force Eve to modify her attack in a way that further reduces the amount of information 
she is able to obtain. 

Next we consider the error rate. In the absence of Eve's attack, the number of errors in 
Bob's sifted key is 

TTl 

ct = —i^ ivfJ-Oi, 1) rc , (6) 

where is the intrinsic error probability of the source, channel, and detector apparatus 
and we have ignored the dark count. We assume that Eve can control the error rate of the 
channel from Alice to Bob. If so, then she achieves the strongest attack by removing the 
intrinsic errors entirely, in which case we have 

TTl 

er = — 1) (1 -P6)Pm??tt • (7) 
Eve therefore adjusts pm to avoid perturbing the error count, resulting in 

ip {r]i2a, 1) 4rc 



m 



1)?7«1 -Pb 



This quantity must be no larger than 1, which implies an additional constraint on the 
parameter space H. 
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Note that we have not yet discussed the effect of Eve's attack on the probabihty that Bob 
receives multiple photon counts for a given pulse. Since this is also a measurable consequence 
of her attack, she must adjust her attack to emulate the unperturbed multiple photon event 
statistics seen by Bob. One approach to this issue has been analyzed in We explore this 
topic further in p. 



3 Conclusion 

The Figure shows the information loss, 5?'"''**'^^ as a function of n, for three cases of interest. 
The other parameters are chosen to have reasonable practical values (a = 0.01, 77 = 0.5, Vc = 
0.01). The upper curve is an upper bound for all attacks consistent with the measured error 
rate The lower curve is for the attack described here, in which Eve adjusts her parameters 
to match both the count rate and the error rate. The curve in the middle is for an attack in 
which Eve matches the error rate, but does not attempt to match the count rate. Note that 
the middle and lower curves come close to achieving the maximum for small /i. Requiring 
Eve to match the count rate modestly reduces the strength of her attack. 
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Figure 1: Partial Privacy Amplification Functions for Maximal and Special Attacks 
This analysis raises several questions for further research. First, can these results be extended 
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to incorporate a general attack by Eve? Second, are there regions of (/i, a, 77, Vc) space 
for which the enforced reduction of information available to Eve through eavesdropping 
becomes significant? If so, the corresponding rates of key generation will be greater than 
current estimates predict. Finally, what is the effect of imprecise knowledge of the parameters 
/i, a, r], Tc on these results? 
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